Adobe CQ5 API Usage

Question

1. I am managing a website which uses Adobe CQ5 as their management system. I am aware that there is a tool querybuilder.json in the /bin folder -- My question is, if an outside user would use this tool which API-syntax would they use to query "important" or "sensitive information". I need to know this so that I can block access to those syntax strings during GET or POST. Any help is appreciated, thanks!

So, what I'm asking is, if an attacker got access to the query builder link, would he be able to query passwords or internal login's, if so how? And if that, which syntax for the query builder can i remove to provoke this?

2. Also, would anyone be able to tell me the proper syntax for the adobe querybuilder that can give you the hostname or web location where the directory that it lists is located?

So for example, if I got back /apps/geometrixx/user/login as output, I would also want to get the url that this file path is at on my server. Is there a syntax available for this action?

Mateusz Chromiński Mateusz Chromiński · Accepted Answer · 2014-10-20T17:23:58

Please consider disabling all requests to paths starting with /bin prefix for your publish instance.

This is a common storage for all servlets that are very useful for authoring but not as much for the other instance.

If you have any custom servlets in the application please take a look at Apache Sling documentation and consider using resource based servlets.

@SlingServlet(
    resourceTypes = "sling/servlet/default",
    selectors = "hello",
    extensions = "html",
    methods = "GET")
public class MyServlet extends SlingSafeMethodsServlet {

This way you can control the access to the servlet using ACLs - if you have an access to the node (i.e. you can see it/render a component based on this resource) you will have an access to the servlet.

Adobe CQ5 API Usage

2 Answers